Hello everyone,
First and foremost i am not a systems or developer kind of person. I do my best to read documentation and apply my understanding.
I have several systems that i am overlooking. I am using GrayLog as my central logging server. All logs from all systems get sent here and parsed as needed.
What i am not understanding is the email customization piece. I read the documentation and it just doesnt make sense to me.
I just want certain fields show up in my notification. Thats it.
Example is the backlog message i receive from my firewall.
{index=pfsense_179, message=sshd[36980]: Accepted password for admin from 192.168.50.241 port 65166 ssh2, fields={gl2_accounted_message_size=337, level=6, full_message=<38>Jan 27 19:01:01 sshd[36980]: Accepted password for admin from 192.168.50.241 port 65166 ssh2, gl2_remote_ip=192.168.50.254, gl2_remote_port=514, facility_num=4, gl2_message_id=01GQTTTTRKX4X4QMB424S93Z0V, gl2_source_node=81b4adce-5627-4ee5-a7eb-24daf5c50e9c, gl2_source_input=62e9dd37d226cc3e41bc8d75, facility=security/authorization}, id=d9a7d631-9e9e-11ed-877b-62ad25012329, source=sshd[36980]:, timestamp=2023-01-27T19:01:01.000-05:00, stream_ids=[000000000000000000000001, 62e9b172734e1d1f91cca73b]}
If im understanding the documetnation correctly, i should be able to pluck out from that message fields that i want shown. So for example.
timestamp=
full_message=
Should be simple enough i think. So i go into the event notification
${if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
${foreach backlog message}
Login Alert: ${message.fields.full_message}
Timestamp: ${message.fields.timestamp}
Tested a few times and this just doesnt work. I get the same garbled message thats not formatted to my liking.
Thanks for asking the community! As you’ll see, our peer-to-peer support is awesomely active and you’ll receive recommendations and suggestions from practitioners like you.
If I’m reading your question correctly. this is my response. Keep in mind that this is based on the v5.0 documentation (not sure what version you’re using). I hope this helps get you started on finding the solution that makes sense to you.
To ensure the “timestamp” and “full_message” fields show up in your email notifications, you’ll need to modify the email notification template. The template is written using a syntax called Handlebars, which allows you to include data from a message in the email.
Here’s a corrected version of your template:
— [Backlog] ------------------------------------
Last messages accounting for this alert:
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
${foreach backlog message}
Login Alert: ${message.fields.full_message}
Timestamp: ${message.message.timestamp}
${end}
In this template, ${foreach backlog message} will repeat the block of code for each message in the backlog. The fields full_message and timestamp are then accessed with message.fields.full_message and message.timestamp, respectively.
Look forward to other members’ responses, too! We’ll help you find the answer!
These Fields were created by using GELF TCP/TLS but some device will not be able to use GELF type for an input.
If this is the case then probably the easiest way would to use. Extractor or GROK.Then maybe later start using pipeline.
For example here is a REGEX extrator to get traffic type from my firewall logs
This was a lot harder than it needed to be. I see a few posts from other users asking for something similar. We get a syslog message but how do we grab just the things we need and need to be presented? Documentation isn’t clear/good on if the event definition needs to be changed or html body. I found the latter to be easier.
@dscryber Thanks for your input. Thats exactly what i ended up doing. Again, maybe its me not understanding but the documentation isnt clear on how to customize an email message. This was actually the most difficult portion of my graylog setup to get right.
